Papers
Topics
Authors
Recent
Search
2000 character limit reached

Cascaded Hiding Network (HNet) Overview

Updated 7 July 2026
  • The paper introduces a cascaded Hiding Network (HNet) that embeds recoverable watermarks into images post-task to conceal data without altering visual quality.
  • It describes two operational forms—box-free watermarking and a shared deep network formulation—leveraging U-Net inspired architecture for dual-purpose style transfer and data hiding.
  • Experimental evaluations demonstrate 100% watermark removal success using forward-surrogate attacks, achieving high fidelity with metrics like 34.69 dB PSNR and MS-SSIM > 0.990.

Searching arXiv for the provided HNet-related papers and closely related terminology. Cascaded Hiding Network (HNet) denotes a neural hiding component or hiding-oriented network organization in which concealed functionality is embedded within an apparently ordinary image-processing pipeline. In the explicit box-free watermarking formulation, HNet is cascaded after a task network and before watermark extraction, so that the released image is visually similar to the task output while carrying a recoverable mark. In the closely related “hiding data hiding” formulation, a single shared deep network behaves in an HNet-style manner by openly performing style transfer while secretly acting as both data embedder and extractor under different paired inputs. Across these formulations, the defining idea is not only to hide payloads in images, but also to hide the existence or operational role of the hiding mechanism itself (An et al., 24 Jul 2025, Wu et al., 2021).

1. Conceptual scope and nomenclature

In the box-free watermarking setting, the protected system is a cascade of three components: GNet, which performs the image task itself; HNet, which embeds the watermark into the GNet output; and ENet, which extracts the watermark from the marked output. The pipeline is

bi=GNet(ai),bi=HNet(Concat(bi,δ)),δ^=ENet(bi).b_i = \mathrm{GNet}(a_i), \qquad b_i' = \mathrm{HNet}(\mathrm{Concat}(b_i,\delta)), \qquad \hat{\delta} = \mathrm{ENet}(b_i').

Here, aiAa_i \in A is the input image, biBb_i \in B is the processed but unmarked output from GNet, biBb_i' \in B' is the final marked output released by the system, and δ\delta is the watermark image. The paper further defines the externally exposed black-box service as

ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.

Within this terminology, HNet is the actual watermark embedder, whereas GNet produces the semantic or content transformation and ENet verifies watermark presence (An et al., 24 Jul 2025).

The 2021 “hiding data hiding” framework does not explicitly use the name HNet, but it is described as a single shared deep network that behaves like a multi-purpose, cascaded hiding network. The proposed DNN FwF_w is trained so that, with input (x,y)(x,y), it performs style transfer; with input (c,m)(c,m), it performs data embedding; and with input (s,r)(s,r), it performs data extraction. In that formulation, the hiding functions are camouflaged as an ordinary task, namely style transfer. This suggests that “Cascaded Hiding Network” can refer not only to an explicit post-task watermarking module, but also to a shared hidden-functionality network whose visible behavior masks covert embedding and recovery capabilities (Wu et al., 2021).

2. Cascaded operational forms

The most explicit cascaded form occurs in box-free watermarking, where HNet is inserted after the task network. The user or attacker observes only the final marked image aiAa_i \in A0, not the intermediate task output aiAa_i \in A1. This separation is central to the security claim of box-free watermarking: the watermarking mechanism is hidden inside ONet, and the unmarked image is never directly exposed (An et al., 24 Jul 2025).

The HDH formulation realizes a different but structurally related cascade. The same network aiAa_i \in A2 is applied twice in sequence:

aiAa_i \in A3

The first application creates a stego image aiAa_i \in A4, and the second application reconstructs the secret from the stego image and a trigger image:

aiAa_i \in A5

This is an implicit two-stage hidden pipeline in which embedding and extraction are both internalized by the same parameter set aiAa_i \in A6. The paper emphasizes that task selection is controlled by the second input image: the style image aiAa_i \in A7 selects style transfer mode, the binary secret image aiAa_i \in A8 selects embedding mode, and the trigger image aiAa_i \in A9 selects extraction mode. A fully black image, with all pixels equal to zero, is used as the default trigger, and the paper states that without it the network will not recover the secret reliably (Wu et al., 2021).

These two operational forms differ in decomposition. The box-free watermarking literature separates the task model, hiding model, and extractor into GNet, HNet, and ENet. The HDH framework does not split the hiding system into separate encoder and decoder modules; instead, one encoder-decoder backbone doubles as an embedding generator, an extraction reconstructor, and a style-transfer synthesizer. A plausible implication is that “cascaded” in HNet-related work can denote either explicit model composition or sequential re-use of a shared model under mode-selecting inputs (Wu et al., 2021).

3. Architecture and data representation in the HNet-style HDH formulation

The HDH network biBb_i \in B0 is inspired by U-Net, but modified for the hiding-data-hiding purpose. Its input consists of two images concatenated channel-wise, for example biBb_i \in B1 plus biBb_i \in B2 to produce biBb_i \in B3. The encoder/down-sampling path uses several convolution layers to reduce the feature map to biBb_i \in B4, and the decoder/up-sampling path uses transposed convolutions to restore the image size to biBb_i \in B5. Down-sampling layers use LeakyReLU, up-sampling layers use ReLU, batch normalization is used except in the first down-sampling layer, and dropout is used in the first two up-sampling layers. Unlike standard U-Net, no max-pooling and no cropping are used, because preserving information is important for extraction (Wu et al., 2021).

For style transfer, the network computes

biBb_i \in B6

where biBb_i \in B7 should have the content of biBb_i \in B8 and the style of biBb_i \in B9. For data embedding, it computes

biBb_i' \in B'0

where biBb_i' \in B'1 is the stego image and should remain visually close to the cover biBb_i' \in B'2 while still allowing full recovery of biBb_i' \in B'3. For data extraction, it computes

biBb_i' \in B'4

Because the same backbone is reused in all three modes, the encoder learns different feature couplings depending on input pairing: content-style fusion in style transfer, secret-bit injection in embedding, and trigger-conditioned secret reconstruction in extraction (Wu et al., 2021).

The secret data biBb_i' \in B'5 is represented as a binary image made of disjoint biBb_i' \in B'6 blocks, each carrying one secret bit. If the bit is 0, all pixels in the block are set to 0; if the bit is 1, all pixels in the block are set to 1. The actual payload length is

biBb_i' \in B'7

Since the final layer uses biBb_i' \in B'8, output values lie in biBb_i' \in B'9. Decoding is performed blockwise by averaging each block and assigning bit 1 if the average is greater than 0, and 0 otherwise. This yields a direct blockwise bit recovery mechanism (Wu et al., 2021).

4. Training objectives and optimization

The HDH model is trained jointly on style transfer and hiding/extraction. For style transfer, the network output is trained against a ground-truth style-transferred image δ\delta0 with

δ\delta1

where δ\delta2 is the number of elements in δ\delta3. For cover δ\delta4, secret δ\delta5, and trigger δ\delta6, the embedding-plus-extraction loss is

δ\delta7

The first term preserves visual similarity between stego and cover, and the second term reconstructs the secret accurately. The total loss is

δ\delta8

with default values δ\delta9. Training is performed in a multi-task joint manner: for each batch, the style transfer task, embedding task, and extraction task are performed, and the network parameters are then updated. The optimizer is Adam with learning rate ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.0, ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.1, ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.2, and batch size 1 (Wu et al., 2021).

In box-free watermarking, the defender jointly trains HNet, D, and ENet, while GNet is pretrained and frozen. The joint loss is

ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.3

with

ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.4

ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.5

ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.6

The fidelity term forces ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.7 to look like ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.8, the mark term ensures watermark extraction from marked images and all-white output on unmarked or random images, and the adversarial term makes marked and unmarked outputs hard to distinguish (An et al., 24 Jul 2025).

5. Reverse engineering, attack models, and security limitations

The strict black-box threat model in the 2025 study grants the attacker query access to the cloud API, observation of only the released marked outputs ONet=GNet+HNet.\mathrm{ONet} = \mathrm{GNet} + \mathrm{HNet}.9, and no knowledge of the HNet architecture, HNet weights, ENet, or the intermediate output FwF_w0. The removal objective is

FwF_w1

A successful attack either recovers the unmarked image FwF_w2 or produces an output whose ENet-extracted watermark is no longer the target FwF_w3. The attacks rely on specially crafted query inputs FwF_w4 that approximately satisfy FwF_w5, described as an “identity transformation” assumption. Examples given are rain-free images for deraining GNet and masked or minimally transformed inputs for image generation or editing (An et al., 24 Jul 2025).

The first attack learns an inverse operator for HNet. From curated queries, the attacker obtains approximate direct HNet samples FwF_w6 and trains FwF_w7 with

FwF_w8

The paper characterizes this attack as simple, intuitive, query-based, and effective at removing the watermark, but also states that it yields unsatisfactory image quality relative to the original FwF_w9 because the inverse mapping is hard to learn in a nonlinear, high-dimensional setting (An et al., 24 Jul 2025).

The second attack exploits the equivalent additive property of box-free model watermarking. The marked output is written as

(x,y)(x,y)0

where (x,y)(x,y)1 is the additive equivalent or latent representation of the watermark. The paper motivates this with a first-order Taylor expansion around (x,y)(x,y)2 and verifies the approximation empirically by feeding the residual (x,y)(x,y)3 to ENet:

(x,y)(x,y)4

Instead of inverting HNet, the attacker trains a forward surrogate

(x,y)(x,y)5

with

(x,y)(x,y)6

and then estimates

(x,y)(x,y)7

The paper argues that this forward-surrogate approach is better than inversion because it avoids the ill-conditioned inverse mapping, directly models the embedded residual, and reconstructs the unmarked image more faithfully (An et al., 24 Jul 2025).

Empirically, both attacks achieved

(x,y)(x,y)8

across all eight reported settings, corresponding to 100% watermark removal success against both victim systems—(x,y)(x,y)9 from Wu et al. (2020) and (c,m)(c,m)0 from Zhang et al. (2024)—on both image deraining and image generation or text-image-to-image editing via Stable Diffusion. The forward-HNet attack was consistently better in image quality, with the best reported fidelity reaching 34.69 dB PSNR for (c,m)(c,m)1 in deraining, and with MS-SSIM exceeding (c,m)(c,m)2 in that setting. The ablation study further shows that if the attacker does not bypass GNet and instead trains on ordinary (c,m)(c,m)3 pairs, (c,m)(c,m)4 can remove watermarks only with severe quality degradation, while forward HNet fails to remove the watermark properly and instead mixes in source content (An et al., 24 Jul 2025).

6. Security interpretation, robustness measures, and neighboring terminology

The HDH framework shifts the security objective from merely hiding payloads in images to hiding the very presence of data-hiding tools by making sender and receiver appear to use ordinary style-transfer processing. The paper also discusses adversarial training with Gaussian noise to improve robustness, the use of error-correcting codes if needed, and security testing using XuNet steganalysis. In that formulation, the covert capability is concealed behind a benign application, and the style-transfer behavior is the visible cover for the hidden functions (Wu et al., 2021).

The 2025 attack paper reaches the complementary conclusion that cascading HNet after GNet does not make box-free watermarking secure under black-box API access. Its practical defense suggestion is API query screening / identity-transformation detection, for example by comparing input (c,m)(c,m)5 and output (c,m)(c,m)6 by Euclidean distance and, if they are too similar, returning (c,m)(c,m)7 or issuing a warning. This suggests that HNet security depends not only on invisibility of the mark in (c,m)(c,m)8, but also on the difficulty of isolating HNet behavior through query design (An et al., 24 Jul 2025).

A common source of terminological confusion is the distinction between HNet and Hidden Network (HNN). “HALO-CAT: A Hidden Network Processor with Activation-Localized CIM Architecture and Layer-Penetrative Tiling” concerns HNN processing, not a Cascaded Hiding Network. In that literature, a network is initialized with random weights, a sparse binary supermask selects a useful subnetwork, and HALO-CAT accelerates this HNN-style inference with Layer-Penetrative Tiling (LPT) and an Activation-Localized (AL) computing-in-memory architecture. The paper explicitly states that this is not a separate “Cascaded Hiding Network” model; the nearest analogue to “cascaded” is deep cross-layer execution or layer-fused scheduling. This distinction is important because HNN in the HALO-CAT sense is a hardware-software co-design target for inference acceleration, whereas HNet in the hiding literature is a concealment or watermark-embedding mechanism within an image-processing pipeline (Chen et al., 2023).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Cascaded Hiding Network (HNet).